diff options
author | Andrew Bartlett <abartlet@samba.org> | 2018-08-15 10:44:03 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2018-08-15 07:08:24 +0200 |
commit | 28e2a518ff3233f49f1b61210754d044c670087b (patch) | |
tree | 249111173467c392bc59ad5f028890c92a86658f /source4/rpc_server | |
parent | aa01203ff51ec49dfdfeed6ab02bbe0cb3198d70 (diff) | |
download | samba-28e2a518ff3233f49f1b61210754d044c670087b.tar.gz |
dns_server: Avoid ldb_dn_add_child_fmt() on untrusted input
By using the new ldb_dn_add_child_val() we ensure that the user-controlled values are
not parsed as DN seperators.
Additionally, the casefold DN is obtained before the search to trigger
a full parse of the DN before being handled to the LDB search.
This is not normally required but is done here due to the nature
of the untrusted input.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Diffstat (limited to 'source4/rpc_server')
-rw-r--r-- | source4/rpc_server/dnsserver/dnsdb.c | 11 | ||||
-rw-r--r-- | source4/rpc_server/dnsserver/dnsutils.c | 14 |
2 files changed, 21 insertions, 4 deletions
diff --git a/source4/rpc_server/dnsserver/dnsdb.c b/source4/rpc_server/dnsserver/dnsdb.c index 899c7ecedb6..81af5f1ceef 100644 --- a/source4/rpc_server/dnsserver/dnsdb.c +++ b/source4/rpc_server/dnsserver/dnsdb.c @@ -383,6 +383,7 @@ WERROR dnsserver_db_add_empty_node(TALLOC_CTX *mem_ctx, struct ldb_result *res; struct ldb_dn *dn; char *encoded_name = ldb_binary_encode_string(mem_ctx, name); + struct ldb_val name_val = data_blob_string_const(name); int ret; ret = ldb_search(samdb, mem_ctx, &res, z->zone_dn, LDB_SCOPE_BASE, attrs, @@ -400,7 +401,7 @@ WERROR dnsserver_db_add_empty_node(TALLOC_CTX *mem_ctx, dn = ldb_dn_copy(mem_ctx, z->zone_dn); W_ERROR_HAVE_NO_MEMORY(dn); - if (!ldb_dn_add_child_fmt(dn, "DC=%s", name)) { + if (!ldb_dn_add_child_val(dn, "DC", name_val)) { return WERR_NOT_ENOUGH_MEMORY; } @@ -1018,6 +1019,7 @@ WERROR dnsserver_db_create_zone(struct ldb_context *samdb, struct dnsp_DnssrvRpcRecord *dns_rec; struct dnsp_soa soa; char *tmpstr, *server_fqdn, *soa_email; + struct ldb_val name_val = data_blob_string_const(zone->name); /* We only support primary zones for now */ if (zone->zoneinfo->dwZoneType != DNS_ZONE_TYPE_PRIMARY) { @@ -1043,7 +1045,12 @@ WERROR dnsserver_db_create_zone(struct ldb_context *samdb, dn = ldb_dn_copy(tmp_ctx, p->partition_dn); W_ERROR_HAVE_NO_MEMORY_AND_FREE(dn, tmp_ctx); - if(!ldb_dn_add_child_fmt(dn, "DC=%s,CN=MicrosoftDNS", zone->name)) { + if (!ldb_dn_add_child_fmt(dn, "CN=MicrosoftDNS")) { + talloc_free(tmp_ctx); + return WERR_NOT_ENOUGH_MEMORY; + } + + if (!ldb_dn_add_child_val(dn, "DC", name_val)) { talloc_free(tmp_ctx); return WERR_NOT_ENOUGH_MEMORY; } diff --git a/source4/rpc_server/dnsserver/dnsutils.c b/source4/rpc_server/dnsserver/dnsutils.c index a1c749074af..b3d8949f8ab 100644 --- a/source4/rpc_server/dnsserver/dnsutils.c +++ b/source4/rpc_server/dnsserver/dnsutils.c @@ -371,6 +371,8 @@ struct ldb_dn *dnsserver_name_to_dn(TALLOC_CTX *mem_ctx, struct dnsserver_zone * { struct ldb_dn *dn; bool ret; + struct ldb_val name_val = + data_blob_string_const(name); dn = ldb_dn_copy(mem_ctx, z->zone_dn); if (dn == NULL) { @@ -378,9 +380,17 @@ struct ldb_dn *dnsserver_name_to_dn(TALLOC_CTX *mem_ctx, struct dnsserver_zone * } if (strcasecmp(name, z->name) == 0) { ret = ldb_dn_add_child_fmt(dn, "DC=@"); - } else { - ret = ldb_dn_add_child_fmt(dn, "DC=%s", name); + if (!ret) { + talloc_free(dn); + return NULL; + } + return dn; } + + ret = ldb_dn_add_child_val(dn, + "DC", + name_val); + if (!ret) { talloc_free(dn); return NULL; |